Without Snark, no Matter How Much is Deserved

I've been mulling over how to write this post for a couple days now. The problem I have is what I want to talk about is so ridiculous there is no amount of snark which would be appropriate for it. I was considering writing a post about it without any snark, but I feel like doing that would give a misleading impression about the severity of what I discuss.

After weighing my options, I've decided to write the body of the post without snark while adding this disclaimer to warn people the neutral wording of this post should in no way be taken to indicate what I discuss is not ludicrous. Because it is. This post by Steve McIntyre is, without a doubt, the most absurd thing I've ever seen him write.

And make no mistake, this is no small feat. To this day, McIntyre has refused to acknowledge that Russia invaded Crimea. Russia sent military troops to occupy cities in Crimea, capture government buildings and hold its parliament hostage until they voted to secede from Ukraine.

McIntyre has not denied any of that. He doesn't admit it either. He simply ignores it and says none of that could qualify as an "invasion" because Russia had a treaty with Ukraine which allowed it to have a naval base in Crimea with some troops thers. The United States has military bases in many countries. I am certain he would McIntyre would not say the same if the United States sent troops from one of those bases to a region to occupy cities, capture government buildings and hold the government hostage,

I hope you'll forgive the segue here, but I believe a certain amount of moral outrage is appropriate for Russia's actions and the defense for them given by people like McIntyre. Plus, while today's discussion is about something nowhere near as heinous, it is somehow, more outrageous. And with that, I will refrain from any further rhetoric or snark.

The post I wish to discuss today is one of a series McIntyre has written to call into question the idea Russia was behind the hacking of th Demoncratic National Committee (DNC) in the leadup to the 2016 United States presidential election. A repeated theme in his posts is a supposed lack of genuine investigation underlying the widely accepted narrative of that event. His writings on the matter are presented as helping break new ground, often ground he says other people should have examined long before. This leads to rhetoric like this part of his post's conclusion:

It is bewildering that attribution is made on such shallow reasoning. There was no basis at the time for SecureWorks’ assertion that it was “likely” that DNC had used gmail and subsequently changed. This was pulled out of thin air. None of the many computer security analysts opining on attribution bothered to confirm this hypothesis with DNC themselves or else they would have found out the opposite. Nor do the analysts appear to have checked this hypothesis against information from the Wikileaks DNC archive itself. If they had, they would have seen that it was untrue. Nonetheless, the attribution of the DNC hack to gmail phishing has been more or less universally adopted as a line of evidence supposed pointing squarely to Russia and Putin personally e.g. Rid cited above.

McIntyre's comments on such matters might be a damning criticism of many people if they were true. They often are not. This paragraph is a great example. This paragraph contains an almost entirely false portrayal based upon misrepresentations and misunderstanding of simple matters. To show this, I'll go through McIntyre's post to show what tries to use to support this portrayal. His post begins:

In two influential articles in June 2016 (June 16 here and June 26 here), SecureWorks purported to link the then recently revealed DNC hack to Russia via a gmail phishing campaign which they had been monitoring since 2015 and which they attributed to APT28 (Fancy Bear). They had observed multiple phishing targets at hillaryclinton.com, dnc.org and personal gmail accounts of campaign officials and surmised that one of these targets at DNC must have been tricked by the phishing campaign, from which APT28 obtained access to the DNC server.

In this paragraph, McIntyre claims the company Secureworks "purported to link the then recently revealed DNC hack to Russia via a gmail phishing campaign." He also says Secureworks "surmised that one of these targets at DNC must have been tricked by the phishing campaign, from which APT28 obtained access to the DNC server."

This is false. The June 26th article McIntyre links to never discusses the DNC hack. The June 16th article says this about it:

The U.S. Democratic party's governing body, the Democratic National Committee (DNC), uses the dnc.org domain for its staff email. Between mid-March and mid-April 2016, TG-4127 created 16 short links targeting nine dnc.org email accounts. CTU researchers identified the owners of three of these accounts; two belonged to the DNC's secretary emeritus, and one belonged to the communications director. Four of the 16 short links were clicked, three by the senior staff members. As of this publication, dnc.org does not use the Google Apps Gmail email service. However, because dnc.org email accounts were targeted in the same way as hillaryclinton.com accounts, it is likely that dnc.org did use Gmail at that time and later moved to a different service.

CTU researchers do not have evidence that these spearphishing emails are connected to the DNC network compromise that was revealed on June 14. However, a coincidence seems unlikely, and CTU researchers suspect that TG-4127 used the spearphishing emails or similar techniques to gain an initial foothold in the DNC network.

The first thing to note is there is no mention of "the DNC server." This is because the DNC network contained many devices, and absent information about just what avenue the attackers used, it is impossible to know which devices were compromised or what material was taken from which. The mistake of using a phrase like "the DNC server" is compounded by falsely attributing it to SecureWorks.

The next thing to note is Secureworks clearly said it did "not have evidence that these spearphishing emails are connected to the DNC network compromise." It is imp3ossible to reconcile that statement with the claim they "surmised that one of these targets at DNC must have been tricked by the phishing campaign, from which APT28 obtained access to the DNC server."

What Secureworks actually said was much more measured, noting because of the timing of the matters "a coincidence seems unlikely." Additionally, they did not claim the spearphishing campaign they monitored was involved in the attack at all, saying they "suspect that [the hackers] used the spearphishing emails or similar techniques to gain an initial foothold in the DNC network." This leaves open the possibility the spearphishing didn't lead to the breach, but rather, a separate form of attack by the same people did (hackers often try different attacks against the same target). Also, Secureworks accurately assessed the attack involved "the DNC network," not "the DNC server."

The second paragraph of McIntyre's post is:

Their argument was quickly accepted by computer security analysts. In an influential article in October 2016, Thomas Rid, a prominent commentator on computer security, stated that this argument was the most important evidence in attribution of the DNC hack to Russia – it was what Rid called the “hackers’ gravest mistake”.

Since Secureworks didn't make the argument McIntyre claims they made, it would be impossible for Thomas Rid or anyone else to have quickly accepted it. Additional, Rid did not say what McIntyre claims he said. There is no mention of this supposed connection made by Secureworks being "the most important evidence in attribution of the DNC hack to Russia" in Rid's article. In fact, Rid does not even claim to know the one led to the other. He implies it by saying:

Between October 2015 and May 2016, the hacking group used nine thousand links to attack about four thousand Gmail accounts, including targets in Ukraine, the Baltics, the United States, China, and Iran. Fancy Bear tried to gain access to defense ministries, embassies, and military attachés. The largest group of targets, some 40 percent, were current and former military personnel. Among the group's recent breaches were the German parliament, the Italian military, the Saudi foreign ministry, the email accounts of Philip Breedlove, Colin Powell, and John Podesta—Hillary Clinton's campaign chairman—and, of course, the DNC.

The implication is the links sent via those e-mails led to the breaches Rid refers to, but he doesn't state that as fact. Rid says who was targeted with spearphising attacks (supposedly) by a particular group then lists breaches that group (supposedly) was responsible for. It is natural to connect the two, but the wording itself leaves open the possibility some of those breaches happened via other avenues when the spearphishing campaign proved insufficient.

Additionally, Rid never labeled this argument the hackers' "gravest mistake," as McIntyre claims. Grammatically speaking, it is unclear how an argument (supposedly) made by Secureworks could be the "gravest mistake" made by hackers. Presumably, what McIntyre means is the spearphishing campaign, not any arguments about it, was the "gravest mistake. However, this is not what Rid said. Rid did not say the spearphishing was any kind of mistake. He said:

But the hackers' gravest mistake involved the emails they'd used to initiate their attack.... To manage so many short URLs, Fancy Bear had created an automated system that used a popular link-shortening service called Bitly. The spear-phishing emails worked well—one in seven victims revealed their passwords—but the hackers forgot to set two of their Bitly accounts to "private." As a result, a cybersecurity company called SecureWorks was able to glean information about Fancy Bear's targets.

The "gravest mistake" Rid refers to is the hackers failure to set two accounts used to create links involved in the spearphishing campaign to private, allowing people to glean information about the campaign. McIntyre never once refers to this mistake, so regardless of what he intended with the grammar of his statement, it cannot be accurate.

Failing to accurately reflect what Rid said creates a strange situation when McIntyre goes on to state the central premise of his post then discuss the hacking of John Podesta's e-mails:

However, the connection of the DNC hack to the gmail phishing campaign, as set out in the SecureWorks article, was very speculative, even tenuous. In addition, subsequent evidence in the DNC emails themselves conclusively refuted even this thin connection. To be clear, the issues pertaining to the DNC hack are distinct from the Podesta hack – which, though unknown at the time of the June 2016 SecureWorks’ article, can be convincingly attributed to gmail phishing accompanied by bitly link-shorteners.

The reference to John Podesta's e-mails being hacked is followed up:

SecureWorks reported that they studied “8,909 Bitly links that targeted 3,907 individual Gmail accounts and corporate and organizational email accounts that use Gmail as a service” from May 2015 to mid-May 2016, looking for patterns in the targets. Included among the target email addresses were 213 links to 108 email addresses on the hillaryclinton.com domain from mid-March to mid-May 2016; 16 links targeting nine dnc.org accounts; and 150 links to gmail accounts of individuals linked to the Hillary for America campaign, the DNC, or other aspects of U.S. national politics. Ironically, while they identified a couple of individual officials (by title) whose personal gmail had been hacked, Podesta was not among them.

McIntyre calls it ironic Podesta was not listed as a specific target of the attacks. The word "irony" is misused often enough there may be some common usage which fits this statement, but an interesting omission from this paragraph is a simple consideration. Secureworks identified two accounts used in spearphishing campaigns with their security settings incorrectly set, allowing them to glean some information about the campaigns. Secureworks never claimed those were the only two accounts used. Podesta not being referenced in this report may have been ironic in some way, but the fact he may have been victimized by an account which wasn't monitored seems more noteworthy.

Moving on several paragraphs, McIntyre explains how the spearphishing campaign used a fake login screen to try to trick people into giving up their account information. He then says:

It’s one thing to trick someone in regard to a personal email account, but how is this scam supposed to work on someone with a hillaryclinton.com or dnc.org email? And why would a gmail scam phish non-gmail addresses? Here SecureWorks begins to arm-wave.

In respect to the hillaryclinton.com domain, they observed that they appeared to have used gmail as their “organizational mail solution”:

An examination of the hillaryclinton.com DNS records shows that the domain’s MX records, which indicate the mail server used by the domain, point to aspmx.l.google.com, the mail server used by Google Apps. Google Apps allows organizations to use Gmail as their organizational mail solution.

It would be mildly interesting to know whether their hillaryclinton.com email sign in page was the generic Gmail sign-in page or whether it had campaign logos. However, this issue is moot since the Wikileaks DNC hack consists of dnc.org emails (not hillaryclinton.com emails, except for very few and incidental emails, none from Hillary, Huma or other principals of the campaign).

McIntyre claims Secureworks begins to arm-wave here, yet he offers nothing but incredulity to justify that claim. He could have chosen to investigate to try to find out what sort of login screen a business using Google for its "organizational mail solution" presents to people logging into their mail. He did not.

McIntyre then assumes the same page was presented to each target of the spearphishing campaign, saying "[i]t would be mildly interesting to know whether their hillaryclinton.com email sign in page was the generic Gmail sign-in page or whether it had campaign logos." McIntyre offers no explanation for why this would matter, but the implication is he believes an organization using a customized login page would mean users presented with a generic login page would realize the page was fake. McIntyre offers no reason as to why the attackers would not be able to create a customized fake page to match any customized page used by an organization.

McIntyre then says:

This theory, such as it is, doesn’t work for dnc.org as SecureWorks themselves conceded:

As of this publication [June 16, 2016], dnc.org does not use the Google Apps Gmail email service.

To overcome this seemingly insurmountable obstacle, they arm-waved:

However, because dnc.org email accounts were targeted in the same way as hillaryclinton.com accounts, it is likely that dnc.org did use Gmail at that time and later moved to a different service.

At the time, SecureWorks didn’t know of the very restricted effective time range of the Wikileaks DNC archive: from April 19, 2016 to May 25, 2016. (There are a very very small number of emails with an apparently earlier timestamp, but these are convincingly argued by steemwh1sks to have been transferred during the above window. Steemwh1sks1 also pointed out that DNC had a 30-day retention policy and convincingly argued that the Wikileaks archive was exfiltrated between May 19 and May 25, 2016.) On SecureWorks’ theory, it is necessary to show that it is likely that DNC was using gmail up to May 25, 2016, switching only a few days prior to their article on June 16 – something that seems implausible on its face.

Secureworks said, "Between mid-March and mid-April 2016, TG-4127 created 16 short links targeting nine dnc.org email accounts." It also noted the DNC breach was revealed June 14th, citing an article which stated:

CrowdStrike was enlisted by the DNC early last month after the DNC suspected something was amiss in its servers.

With that being published in June, "early last month" would have meant early May. That means Secureworks was using a time window of mid-March to early May. If they made the assumption the hackers stopped targeting the DNC with spearphishing after they believed the DNC network, then their time window would have been mid-April to early May. The window McIntyre cites as being more informative is April 19th to May 25th. This is actually wider than what Secureworks may have worked with.

While that is a worthwhile aside, the significant problem comes when McIntyre says:

On SecureWorks’ theory, it is necessary to show that it is likely that DNC was using gmail up to May 25, 2016, switching only a few days prior to their article on June 16 – something that seems implausible on its face.

There are several problems with this claim. First, the date certain material was copied from the DNC network need not be the same date the network was first breached. In fact, all reporting agrees the two dates were not the same. McIntyre himself has written about how the hackers had access to the DNC network for a period of time.

If the hackers used spearphishing to gain an initial foothold in the DNC network as Secureworks suggests may have happened, their access would have been limited. Stealing a person's e-mail account information doesn't mean they have access to everything on a server, much less the entire network. They would have needed to use other exploits to escalate their privileges/control. That that happened has been reported by many people, including Guccifer 2.0, the entity which took credit for the breach.

McIntyre's claim this mail service must have been active until May 25th under this narrative is false. It could have been active in April, or even March, and served as to provide the attackers their initial foothold. Once they had that, they could use exploits to gain further access, at which point the e-mail credentials they had stolen would become unnecessary.

In addition to McIntyre's claim being false on facts, it is also false on implication. McIntyre paints it as implausible the DNC would have changed e-mail services in such a coincidental time period. However, the time period in question was when the DNC was responding to a security breach. It would be completely unremarkable if an organization which had just been hacked, possibly through its e-mail service, changed what e-mail service it used. McIntyre fails to note this plausible explanation for the "coincidental" timing.

McIntyre then says:

Against this intuitively implausible theory, there is also direct evidence in the Wikileaks DNC emails themselves. On May 17, a response from the IT helpdesk shows that the DNC was using (Microsoft) Outlook for email – not Google Apps Gmail.

This statement rests on an incoherent argument. McIntyre claims Google services (which are now named G-Suite) couldn't have been used as Microsoft Outlook was being used. Leaving aside McIntyre's faulty logic in terms of dates, this argument is incoherent. There is no contradiction between an organization using both Microsoft Outlook and G-Suite. In fact, many organizations use both.

Google offers its G-Suite package to give organizations a way to manage services like e-mail without having to handle all the details themselves. In effect, you pay Google to manage servers like your e-mail server for you. One of the benefits of this is it provides users a similar experience to their personal Gmail accounts.

Microsoft Outlook does not manage servers. Outlook is a personal information program, designed to be used by individual users to manage things like their e-mail. People who use Outlook typically connect their Outlook program to one or more e-mail accounts on other servers so Outlook can connect to and use those servers.

This includes Google servers. Users often connect Outlook to Gmail accounts so they can manage those accounts from Outlook, obviating the need to go to a web page in order to manage their e-mail. Outlook is a front-end tool which connects to other back-end devices, like e-mail servers. Using Outlook and Google mail servers is no more contradictory than using Internet Explorer to access Google mail servers via a web page.

The next paragraph from McIntyre is the one quoted near the beginning of this post, which begins:

It is bewildering that attribution is made on such shallow reasoning. There was no basis at the time for SecureWorks’ assertion that it was “likely” that DNC had used gmail and subsequently changed. This was pulled out of thin air. None of the many computer security analysts opining on attribution bothered to confirm this hypothesis with DNC themselves or else they would have found out the opposite. Nor do the analysts appear to have checked this hypothesis against information from the Wikileaks DNC archive itself.

While McIntyre may find Secureworks reasoning on this matter bewildering, he is wrong to claim there "was no basis at the time for" it. He is wrong to say it "was pulled out of thin air." In writing his post, McIntyre fails to note a key piece of evidence this service was in fact being used - the hackers.

A group of hacker specifically targeted people with a spearphishing campaign which could only succeed if a particular service was being used. The fact the hackers believed, and in fact relied upon, this service being used is evidence the service was in fact being used. People may disagree about how much weight should be put on that evidence but to simply pretend it does not exist is is peculiar. To do so while lambast security analysts for failing to consider evidence is...

Well, I promised to avoid rhetoric and snark so I'll leave it there.

3 comments

  1. Thorough, factual and logical analysis. Not nitpicking. Totally without snark: wink wink. I am beginning to think that Steve is a Russian bot. He's been bending over backwards to defend Stalinist KGB dictator Putinski's serial crimes.

    Crowdstrike , Secureworks and assorted amateur kibitzers like Steve are irrelevant. NSA-CYBERCOM knows who done it. And the Russkis knew, while they were doing it, that they were under surveillance.

  2. i wouldn't go so far as to say this isn't nitpicking. Some of the stuff, like the difference between "the DNC server" and "the DNC network" feel a bit like nitpicking. At the same time, that's the sort of error anyone who understands the topic shouldn't make. That it's a "small" error doesn't change that it seems to indicate a poor grasp of the topic by the author.

    Plus, it has a knock-on effect that is non-trivial. McIntyre seems to believe whatever account information might have been stolen in the spearphishing campaign (if that is how the hackers got in) must have been used the entire time. In the same way, it seems McIntyre thinks there was a single server that was broken into. A person who actually understands this sort of thing would know stealing login credentials for an e-mail account wouldn't give access to "the DNC server." The hackers would have had to find some way to leverage that account information into greater levels of access to the network at large. As they gained further access to the network, those initial login credentials to an e-mail account would have likely become irrelevant. Thus the "nit" of "server" vs. "network" seems to show not some minor mistake where the wrong word was used, but a mistake where the author didn't understand the topic enough to know which word to use. And that lack of understanding let to other errors, ones which impact his conclusions.

    If a person writes a piece about some fairly complex issue using mathematics and claims the -sqrt(49) is -7, is it nitpicking to point out the answer could also be 7? Maybe. After all, that could be some minor mistake that means nothing. On the other hand, if they make other mistakes which are much more serious, generally showing no grasp of the topics they're discussing, maybe that "nit" shows something more. Maybe it wasn't just some brain fart. Maybe it was them not understanding a basic concept.

  3. Not sure about overall McIntyre posts on the topic, but I agree with the general idea of your post, and definitely with the previous comment 100%. Perhaps the best thing you've ever written.

Leave a Reply

Your email address will not be published. Required fields are marked *